Conjur Ansible Lookup Plugin and SSH Key File

JfcAtCyberArk · November 4, 2020, 2:05pm

Hi there,

I would like to know if anyone already managed to use the conjur-variable lookup plugin from the cyberark.conjur collection to fetch SSH Keys.

Use case: I’d like Ansible AWX to fetch SSH Keys (Managed inside CyberArk Vault) from CyberArk DAP/Conjur to connect to an Ansible dynamic inventory.

Option 1: using CyberArk Conjur Secret Lookup Credential Type and Machine Credential Type
It works fine but does not allow to parameterize the secret id given the hostname of the inventory host being configured.

Option 2 : using Job Template extra vars, Custom credential type and conjur-variable Lookup Plugin
it works fine with SSH

Custom credential type definition:

Input Configuration:

fields:
  - id: conjur_account
    type: string
    label: Organization Name in Conjur
  - id: conjur_version
    type: string
    label: Conjur Version
  - id: conjur_url
    type: string
    label: URL to Conjur Service
  - id: conjur_cert
    type: string
    label: PUBLIC KEY CERTIFICATE
    multiline: true  
  - id: conjur_authn_login
    type: string
    label: Host Login
  - id: conjur_authn_api_key
    type: string
    label: Host API Key
    secret: true
required:
  - conjur_account
  - conjur_url
  - conjur_authn_login
  - conjur_authn_api_key

Injector Configuration:

env:
  CONJUR_CONFIG_FILE: '{{ tower.filename.conf }}'
  CONJUR_IDENTITY_FILE: '{{ tower.filename.identity }}'
  CONJUR_CERT_FILE: '{{ tower.filename.cert }}'
file:
  template.conf: |-
    {
    "appliance_url": "{{ conjur_url }}",
    "account": "{{ conjur_account }}"
    }
  template.identity: "machine {{ conjur_url }}/authn\n\tlogin {{ conjur_authn_login }}\n\tpassword {{ conjur_authn_api_key }}"
  template.cert: "{{ conjur_cert }}"

Extra vars:

---
ansible_user: 'cloud-user'
ansible_password: "{{ lookup('conjur_variable', 'Vault/Cloud_Automation/CYBR_Unix_Cloud_Users/CYBR_UnixSSH-' + inventory_hostname + '-' + ansible_user + '/password') }}"

While it works like a charm with ansible_password (using SSH passwords) it does not work with SSH Keys.

ansible_ssh_pass and ansible_ssh_private_key_file don’t work.

Any ideas/comments?

Any help will be appreciated,

Many Thanks,

JFC

JfcAtCyberArk · November 13, 2020, 5:04pm

This PR: https://github.com/cyberark/ansible-conjur-collection/pull/51 should solve this.
It will allow to parameterize the SSH Key retrieved from CyberArk based on the inventory hostname without the need to modify playbooks.
The Key is fetched from Conjur/DAP

Thanks jcosteatcyberark for the contribution

Thanks,
JFC

system · November 20, 2020, 5:04pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Securing Ansible Playbooks with Conjur Secrets Management - Conjur, Secrets Hub & CP	6	1614	October 8, 2019
Getting 401 error when using lookup('conjur_variable', 'secret/path') in ansible Secrets Management - Conjur, Secrets Hub & CP ansible	6	2445	April 10, 2020
Concourse integration with DAP Conjur Enterprise howto	3	1429	August 1, 2022
Ansible fetching secrets from conjur : faces error -> Error was a <class 'urllib2.HTTPError'>, original message: HTTP Error 404: Not Found" - which is fetched by Api Secrets Management - Conjur, Secrets Hub & CP ansible , summon , summon-conjur	5	1319	July 9, 2020
Conjur set-up and usage of credentials in springboot app Development	2	456	September 10, 2021

Conjur Ansible Lookup Plugin and SSH Key File

Related Topics